Facebook API bug may have exposed 6.8 million users' private photos

Another week and yet another in a seemingly endless stream of Facebook privacy issues. The social networking giant has found itself apologizing, yet again, for leaking users' private data. This time around, an API bug meant that private photos of millions of users may have been exposed to app developers.

The bug was present for nearly two weeks and it went further than simply giving developers access to photos users had posted to their accounts -- it also exposed photos that had been uploaded but not actually posted.

Revealing the news in a statement, Facebook's Tomer Bar said that between September 13 and September 25, 2018 "some third-party apps may have had access to a broader set of photos than usual". A problem was found in a photo API that affected people who used Facebook Login and granted permission to third-party apps to access their photos.

When someone gives permission for an app to access their photos on Facebook, we usually only grant the app access to photos people share on their timeline. In this case, the bug potentially gave developers access to other photos, such as those shared on Marketplace or Facebook Stories. The bug also impacted photos that people uploaded to Facebook but chose not to post. For example, if someone uploads a photo to Facebook but doesn't finish posting it -- maybe because they've lost reception or walked into a meeting - we store a copy of that photo for three days so the person has it when they come back to the app to complete their post.

Currently, we believe this may have affected up to 6.8 million users and up to 1,500 apps built by 876 developers. The only apps affected by this bug were ones that Facebook approved to access the photos API and that individuals had authorized to access their photos.

So Facebook once again apologizes and says it will notify users that may have been affected by the problem. An update is due to be pushed out in the next few days that will let developers determine which users of their apps may have been affected by the bug.

As a result of this latest privacy issue, the Irish Data Protection Commissioner (DPC) says that it will be investigating Facebook. The probe will examine Facebook's "compliance with the relevant provisions of the GDPR (General Data Protection Regulation)".